I am deploying multiple raspberry pi’s in the field behind multiple different networks.
I will need remote shell access to these devices from time to time and a VPN client would be the easiest solution for me.
I have yet to successfully connect a Raspberry Pi (command line) to a MikroTik SSTP or L2TP VPN server.
Looking for a simple solution to deploy on these devices easily.
Any guides or advise would be great.
Thanks!
Does it need to be SSTP or L2TP? I’ve had some success using OpenVPN on a Raspberry Pi to connect to RoS OpenVPN server.
Run an SSH tunnel out to a public host, each with a unique port as “serial number” identifying the client location.
I have never been successful with OpenVPN & don’t want certificates, etc.
If there is a simple guide and implementation, I may consider it.
This looks interesting, but I am trying to understand how to configure the MikroTik x86 server.
For instance, how do I connect to the remote host? Just by SSH’ing to the x86 with port number that the pi dialed?
Replace it with a $5/month VPS. That will buy you a terabyte of transfer a month, enough CPU to manage the encryption, and the public IP the remote Raspberry Pis connect to.
how do I connect to the remote host?
Each Pi gets a serial number, which is either the TCP port itself or is an input to the formula that gets you that port number. My article uses 12345 as its example, but you could make it a 1-based number you write on a sticker on the Pi, then add 2000 or something to get it above 1024.
The article speaks of the ~/.ssh/config file as well. This lets you use names in place of numbers without going to the extent of setting up DNS:
Host client-1 client-2
HostName my-public-tunnel-server.example.com
User pi
Host client-1
Port 2001
LocalForward …something specific to that one client…
Host client-2
Port 2002
LocalForward …etc, etc…
I love me some RouterOS, but there’s no particular call for it here.
If it had to be RouterOS in the center, I’d set it up as a WireGuard server, given that the remote clients are Linux-based. It’s not a wildly different config, but it is a bit more complicated per box. If you don’t need a full routable IP address scheme, SSH suffices.
Thanks. I figured it out with the SSH to the MikroTik.
I work for an ISP, have a Dell PowerEdge in a rack and already had an MikroTik x86 setup with a public IP. Was just looking for a way to make the connections. Even running an x86 on a free license gives me enough bandwidth to run SSH tunnels to multiple Pi’s.
Thanks for pointing me in this direction. I may end up posting my whitepaper guide I wrote for myself to configure the Pi’s with the automatic tunnel with systemd.
One of the advantages of SSH over WG in cases like this is trivial client isolation. The easy path with WG puts them all on the same LAN, but if the remote Pis don’t have good reasons to see each other, now you need to set up barriers between each WG endpoint. With the “ssh -N” option — log in and set up tunnels, but run no commands — the clients don’t see each other.
They can still drop the -N option and see the central server they’re all connected to, though, which in the case of a RouterOS tunnel server means you’re limited to the rather simple controls RouterOS offers. If you needed strong client isolation, a proper OpenSSH server lets you set the ForceCommand setting to something harmless, and to isolate logins using the security foundations of Linux rather than the simplistic ROS RBAC system.
If you’re going to stick with ROS in the center, I recommend setting up a Pi-specific group and turning off as many user policies for that group as you can get away with. Ideally, leave just “ssh”.
On that PowerEdge, I bet it costs more than $5/month to power and cool.
Plus, a public VPS instance will be easier to isolate from the rest of your server rack.
But please yourself. Nerd hard, nerd well. 